Taxonomy of security risk assessment approaches for researchers

This article introduces a taxonomy of security risk assessment approaches. The taxonomy is based on the challenges in the information system security (IS-Security) risk assessment discipline. Traditionally, classification schemes for IS-Security risk assessment approaches are motivated by business needs. They aim at offering management an effective tool for selecting methods that meet their needs rather than meeting research needs. Researchers may value new ideas, how to improve the approaches in the existing paradigms, and how to create a new paradigm to solve the unsolved problems of the existing paradigms more than business interests. The taxonomy proposed in this article aims at guiding researchers to choose research areas, and to discover new ideas and paradigms in the IS-Security risk assessment discipline.

[1]  Ingoo Han,et al.  The IS risk analysis based on a business model , 2003, Inf. Manag..

[2]  Gonzalo Álvarez,et al.  A new taxonomy of Web attacks suitable for efficient encoding , 2003, Comput. Secur..

[3]  Haralambos Mouratidis,et al.  Adapting Secure Tropos for Security Risk Management in the Early Phases of Information Systems Development , 2008, CAiSE.

[4]  Ole Martin Dahl,et al.  Using Coloured Petri Nets in Penetration Testing , 2005 .

[5]  Frank T. Johnsen,et al.  An Emulated Test Framework for Service Discovery and MANET Research Based on ns-3 , 2012, 2012 5th International Conference on New Technologies, Mobility and Security (NTMS).

[6]  Samuel T. Redwine Introduction to Modeling Tools for Software Security , 2007 .

[7]  Ketil Stølen,et al.  Model-Driven Risk Analysis - The CORAS Approach , 2010 .

[8]  Terje Aven,et al.  A semi-quantitative approach to risk analysis, as an alternative to QRAs , 2008, Reliab. Eng. Syst. Saf..

[9]  Kirsten Bock Privacy by Design and the New Protection Goals , 2011 .

[10]  Ibrahim Sogukpinar,et al.  ISRAM: information security risk analysis method , 2005, Comput. Secur..

[11]  Ebenezer Paintsil,et al.  Towards Legal Privacy Risk Assessment and Specification , 2011, TrustBus.

[12]  Sushil Jajodia,et al.  An Attack Graph-Based Probabilistic Security Metric , 2008, DBSec.

[13]  Jason Edwin Stamp,et al.  A classification scheme for risk assessment methods. , 2004 .

[14]  Bashar Nuseibeh,et al.  Problem Analysis of Traditional IT-Security Risk Assessment Methods - An Experience Report from the Insurance and Auditing Domain , 2011, SEC.

[15]  Tansu Alpcan,et al.  Dynamic Incentives for Risk Management , 2012, 2012 5th International Conference on New Technologies, Mobility and Security (NTMS).

[16]  Christopher J. Alberts,et al.  Managing Information Security Risks: The OCTAVE Approach , 2002 .

[17]  Dan Roth,et al.  Learning and Inference for Clause Identification , 2002, ECML.

[18]  Mikko T. Siponen,et al.  An analysis of the traditional IS security approaches: implications for research and practice , 2005, Eur. J. Inf. Syst..

[19]  Andy Ju An Wang Information security models and metrics , 2005, ACM-SE 43.

[20]  Jorge López Hernández-Ardieta,et al.  Enhancing the reliability of digital signatures as non-repudiation evidence under a holistic threat model , 2011 .

[21]  Alan R. Hevner,et al.  Design Science in Information Systems Research , 2004, MIS Q..

[22]  Jan Marco Leimeister,et al.  A Reclassification of IS Security Analysis Approaches , 2009, AMCIS.

[23]  Jim Woodcock,et al.  Using Z - specification, refinement, and proof , 1996, Prentice Hall international series in computer science.

[24]  Audun Jøsang,et al.  A User-centric Federated Single Sign-on System , 2007, 2007 IFIP International Conference on Network and Parallel Computing Workshops (NPC 2007).

[25]  Carsten Rudolph,et al.  A property based security risk analysis through weighted simulation , 2011, 2011 Information Security for South Africa.

[26]  Hany H. Ammar,et al.  A Methodology for Architecture-Level Reliability Risk Analysis , 2002, IEEE Trans. Software Eng..

[27]  Sabah Al-Fedaghi,et al.  Threat Risk Modeling , 2010, 2010 Second International Conference on Communication Software and Networks.

[28]  Andrew Stewart,et al.  On risk: perception and direction , 2004, Comput. Secur..

[29]  Rossouw von Solms,et al.  From Risk Analysis to Security Requirements , 2001, Comput. Secur..

[30]  Ida Hogganvik,et al.  A Graphical Approach to Security Risk Analysis , 2007 .

[31]  Slaven Smojver Selection of Information Security Risk Management Method Using Analytic Hierarchy Process (AHP) , 2011 .

[32]  Ed Dawson,et al.  Towards a Game Theoretic Authorisation Model , 2010, GameSec.

[33]  Les Labuschagne,et al.  A framework for comparing different information security risk analysis methodologies , 2005 .

[34]  R. Stephenson A Formal Model for Information Risk Analysis Using Colored Petri Nets , 2004 .

[35]  Varokas Panusuwan,et al.  Privacy Risk Assessment Case Studies in Support of SQUARE , 2009 .

[36]  Eric S. K. Yu,et al.  Modeling and analysis of security trade-offs - A goal oriented approach , 2009, Data Knowl. Eng..

[37]  Tansu Alpcan,et al.  Risk Management for IT Security: When Theory Meets Practice , 2012, 2012 5th International Conference on New Technologies, Mobility and Security (NTMS).